In this article, Mike McGrath, Penetration Tester and IT Security Consultant at Bridewell Consulting, outlines how hacking has evolved and how businesses can best protect themselves against a new generation of hackers.
It is an uncomfortable truth that in 2020 it is no longer possible for businesses to completely protect themselves from cyber threats. Every organisation should be braced for such an attack at some point and be primed and ready to respond effectively.
Many organisations have lost value or suffered reputational damage from a badly managed response to a cyber attack. In this environment it is imperative businesses learn how to best protect themselves against the new generation of hackers. But before they can do this, they need to understand who is behind the attacks and why they do it.
What motivates hackers?
There are many different types of hackers. Some are looking to benefit financially by stealing data or even going so far as to hold companies to ransom, like the criminal gang that only recently forced Travelex to take down all of its global websites and demanded £2.3m.
But, perhaps surprisingly, for most hackers the motivation is often curiosity. These people hack because they can and want to gain notoriety, prove themselves to others, or just want to challenge themselves. There is also another type of motivation which is to disrupt. Hacktivist organisations hack to make a point, to embarrass their targets and to see how much chaos they can generate.
While the motivations of hackers have remained consistent over the years, the techniques that hackers are using is changing. Social engineering has always been a primary platform for a hacker. If you look a lot of the most famous hackers, in particular those that have made it onto America’s most wanted lists, they are often very talented social engineers.
However, whilst it has always been used to some extent, social engineering and phishing are now the primary method of hacking and delivering malware. These techniques have become increasingly common as organisations become better at implementing technical controls.
Hackers find it much more effective to target the human element instead of trying to get through a highly sophisticated technical defence. In fact, in many ways hacking is now easier as tools have evolved, and readymade phishing platforms have emerged.
So with hacking becoming easier and employees the main target, how can businesses ensure they remain protected?
An effective strategy
New security issues and hacking techniques are emerging all the time, so it’s impossible for businesses to completely future-proof their organisation from hackers.
However, there are basic steps that businesses can take such as putting in place regular security assessments, a strong patching and password policy, and enforcement of multi-factor authentication on every public facing system.
Security audits should also be organised, controls examined and access lists regularly reviewed. All of these actions together can go a long way to improving security.
Regular penetration testing is also vital. However, it’s just as important to test employee awareness.
An effective security strategy should include the internal training of staff; making sure they are fully trained and appraised in terms of what to look out for, in terms of different attacks, via email, over the phone or via SMS.
Strengthening the weakest link
As hackers continue to evolve, businesses need to do everything they can to protect against all avenues of attack. Technical defence is still paramount, but this needs to be supported by a strong internal security programme to educate and test employees.
A solid security awareness programme will enhance technical controls and toughen the security posture of the organisation. The effectiveness of employee awareness training should also be measured by regular phishing or red team assessments which simulate real-world cyber attack scenarios to help identify any gaps in security, both physical and cyber, and put in place plans for remediation.
It is a fact that employees will always be the weakest link but with the right education can be an organisation’s biggest asset in terms of defence.
Tenacity and imagination
As the techniques used by hackers continue to evolve, security must be at the forefront of company strategy and definitely not an afterthought. It is those organisations that are prepared for uncertainty and that approach their digital transformation with a security-focused mindset that will be best positioned to survive in the ever more hostile connected ecosystem.
The introduction of regulations like GDPR and the NIS directive have helped increase awareness of cyber security at board level. But there is a need for a greater understanding of the new techniques and security issues that are continuously emerging.
Organisations must have the right policy, processes and tested mechanisms in place to be able to prevent and respond to attacks at the right time, and defend their cyber security with the same tenacity and imagination as the modern hacker.